chore: clean up extraneous trailing whitespace

CONTRIBUTING.adoc

@@ -7,15 +7,15 @@ Contribute new content, share feedback and ask questions about resources in the
 These operating rules describe and govern NIST’s management of this repository and contributors’ responsibilities. NIST reserves the right to modify this policy at any time.
 
 === Criteria for Contributions and Feedback
-This is a moderated platform. NIST will only accept contributions that are contributed per the terms of the license file. Contributors may submit links or materials for hosting in the repository. Upon submission, materials will be public and considered publicly available information, unless noted in the license file. 
+This is a moderated platform. NIST will only accept contributions that are contributed per the terms of the license file. Contributors may submit links or materials for hosting in the repository. Upon submission, materials will be public and considered publicly available information, unless noted in the license file.
 
-NIST reserves the right to reject, remove, or edit any contribution or feedback, including anything that: 
-* states or implies NIST endorsement of any entities, services, or products;  
-* is inaccurate;  
-* contains abusive or vulgar content, spam, hate speech, personal attacks, or similar content;  
-* is clearly "off topic"; 
+NIST reserves the right to reject, remove, or edit any contribution or feedback, including anything that:
+* states or implies NIST endorsement of any entities, services, or products;
+* is inaccurate;
+* contains abusive or vulgar content, spam, hate speech, personal attacks, or similar content;
+* is clearly "off topic";
 * makes unsupported accusations;
-* includes personally identifiable or business identifiable information according to Department of Commerce Office of Privacy and Open Government (http://www.osec.doc.gov/opog/privacy/PII_BII.html[guidelines]; or, 
+* includes personally identifiable or business identifiable information according to Department of Commerce Office of Privacy and Open Government (http://www.osec.doc.gov/opog/privacy/PII_BII.html[guidelines]; or,
 * contains .exe or .jar file types.
 
 _These file types will not be hosted in the NIST repository; instead, NIST may link to these if hosted elsewhere._
@@ -28,4 +28,4 @@ NIST also reserves the right to reject or remove contributions from the reposito
 * responding to NIST representatives in a timely manner;
 * keeping contributions and contributor GitHub username up to date
 
-*GitHub Help:* If you're having trouble with these instructions, and need more information about GitHub, pull requests, and issues, visit GitHub's Help https://help.github.com/categories/collaborating-with-issues-and-pull-requests/[page]. 
+*GitHub Help:* If you're having trouble with these instructions, and need more information about GitHub, pull requests, and issues, visit GitHub's Help https://help.github.com/categories/collaborating-with-issues-and-pull-requests/[page].

LICENSE.md

@@ -51,9 +51,9 @@ By exercising the Licensed Rights (defined below), You accept and agree to be bo
 5.	_Downstream recipients._
 
     **A.** _Offer from the Licensor_ – Licensed Material. Every recipient of the Licensed Material automatically receives an offer from the Licensor to exercise the Licensed Rights under the terms and conditions of this Public License.
-    
+
     **B.** _No downstream restrictions._ You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, the Licensed Material if doing so restricts exercise of the Licensed Rights by any recipient of the Licensed Material.
-    
+
 6.	_No endorsement._ Nothing in this Public License constitutes or may be construed as permission to assert or imply that You are, or that Your use of the Licensed Material is, connected with, or sponsored, endorsed, or granted official status by, the Licensor or others designated to receive attribution as provided in Section 3(a)(1)(A)(i).
 
 ## b.	Other rights.
@@ -75,17 +75,17 @@ Your exercise of the Licensed Rights is expressly made subject to the following
    **i.**	 	identification of the creator(s) of the Licensed Material and any others designated to receive attribution, in any reasonable manner requested by the Licensor (including by pseudonym if designated);
 
    **ii.**		a copyright notice;
-      
+
    **iii.**	 	a notice that refers to this Public License;
-     
+
    **iv.**	 	a notice that refers to the disclaimer of warranties;
-      
+
    **v.**	 	a URI or hyperlink to the Licensed Material to the extent reasonably practicable;
-      
+
    **B.**	indicate if You modified the Licensed Material and retain an indication of any previous modifications; and
-    
+
    **C.**	indicate the Licensed Material is licensed under this Public License, and include the text of, or the URI or hyperlink to, this Public License.
-    
+
 **2.**	You may satisfy the conditions in Section 3(a)(1) in any reasonable manner based on the medium, means, and context in which You Share the Licensed Material. For example, it may be reasonable to satisfy the conditions by providing a URI or hyperlink to a resource that includes the required information.
 
 **3.**	If requested by the Licensor, You must remove any of the information required by Section 3(a)(1)(A) to the extent reasonably practicable.
@@ -116,11 +116,11 @@ For the avoidance of doubt, this Section 4 supplements and does not replace Your
 **a.**	This Public License applies for the term of the Copyright and Similar Rights licensed here. However, if You fail to comply with this Public License, then Your rights under this Public License terminate automatically.
 
 **b.**	Where Your right to use the Licensed Material has terminated under Section 6(a), it reinstates:
-         
+
    **1.**	automatically as of the date the violation is cured, provided it is cured within 30 days of Your discovery of the violation; or
-         
+
    **2.**	upon express reinstatement by the Licensor.
-         
+
 For the avoidance of doubt, this Section 6(b) does not affect any right the Licensor may have to seek remedies for Your violations of this Public License.
 
 **c.**	For the avoidance of doubt, the Licensor may also offer the Licensed Material under separate terms or conditions or stop distributing the Licensed Material at any time; however, doing so will not terminate this Public License.

README.adoc

@@ -1,7 +1,7 @@
 image::templates/images/mscp_banner_outline.png[]
 // settings:
 :idprefix:
-:idseparator: - 
+:idseparator: -
 ifndef::env-github[:icons: font]
 ifdef::env-github[]
 :status:
@@ -29,7 +29,7 @@ This project is the technical implementation of NIST Special Publication, 800-21
 
 Apple acknowledges the macOS Security Compliance Project with information on their https://support.apple.com/guide/certifications/macos-security-compliance-project-apc322685bb2/web[Platform Certifications] page.
 
-This project can be used as a resource to easily create customized security baselines of technical security controls by leveraging a library of atomic actions which are mapped to the compliance requirements defined in NIST SP 800-53 (Rev. 5). It can also be used to develop customized guidance to meet the particular cybersecurity needs of any organization.  
+This project can be used as a resource to easily create customized security baselines of technical security controls by leveraging a library of atomic actions which are mapped to the compliance requirements defined in NIST SP 800-53 (Rev. 5). It can also be used to develop customized guidance to meet the particular cybersecurity needs of any organization.
 
 To learn more about the project, please see the {uri-repo}/wiki[wiki].
 
@@ -61,7 +61,7 @@ Part 39 of the Federal Acquisition Regulations, section 39.101 paragraph (c) sta
 
 == Changelog
 
-Refer to the link:CHANGELOG.adoc[CHANGELOG] for a complete list of changes. 
+Refer to the link:CHANGELOG.adoc[CHANGELOG] for a complete list of changes.
 
 == NIST Disclaimer
 

baselines/all_rules.yaml

@@ -324,7 +324,7 @@ profile:
       - pwpolicy_prevent_dictionary_words
       - system_settings_wifi_disable_when_connected_to_ethernet
   - section: "not_applicable"
-    rules: 
+    rules:
       - os_access_control_mobile_devices
       - os_identify_non-org_users
       - os_information_validation

includes/enablePF-mscp.sh

@@ -4,9 +4,9 @@
 enable_macos_application_firewall () {
 
 	/usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
-	/usr/libexec/ApplicationFirewall/socketfilterfw --setloggingopt detail 
+	/usr/libexec/ApplicationFirewall/socketfilterfw --setloggingopt detail
 	/usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned on
-	/usr/libexec/ApplicationFirewall/socketfilterfw --setallowsignedapp on 
+	/usr/libexec/ApplicationFirewall/socketfilterfw --setallowsignedapp on
 
 }
 
@@ -35,7 +35,7 @@ enable_pf_firewall_with_macsec_rules () {
 	launchctl enable system/macsec.pfctl
 	launchctl bootstrap system $macsec_pfctl_plist
 
-	pfctl -f /etc/pf.conf 2> /dev/null #flush the pf ruleset (reload the rules)   
+	pfctl -f /etc/pf.conf 2> /dev/null #flush the pf ruleset (reload the rules)
 
 }
 
@@ -147,7 +147,7 @@ block log proto tcp to any port 540
 ENDCONFIG
 }
 
-#### 
+####
 
 enable_macos_application_firewall
 create_macsec_pf_anchors

includes/mscp-data.yaml

@@ -1,6 +1,6 @@
 ---
 authors:
-  all_rules: 
+  all_rules:
     names:
       - Bob Gendler|National Institute of Standards and Technology
       - Dan Brodjieski|National Aeronautics and Space Administration
@@ -10,7 +10,7 @@ authors:
       - Bob Gendler|National Institute of Standards and Technology
       - Dan Brodjieski|National Aeronautics and Space Administration
       - Allen Golbig|Jamf
-  800-53r5_moderate: 
+  800-53r5_moderate:
     names:
       - Bob Gendler|National Institute of Standards and Technology
       - Dan Brodjieski|National Aeronautics and Space Administration
@@ -20,12 +20,12 @@ authors:
       - Bob Gendler|National Institute of Standards and Technology
       - Dan Brodjieski|National Aeronautics and Space Administration
       - Allen Golbig|Jamf
-  800-171: 
+  800-171:
     names:
       - Bob Gendler|National Institute of Standards and Technology
       - Dan Brodjieski|National Aeronautics and Space Administration
       - Allen Golbig|Jamf
-  cis_lvl1: 
+  cis_lvl1:
     preamble: The CIS Benchmarks are referenced with the permission and support of the Center for Internet Security® (CIS®)
     names:
       - Edward Byrd|Center for Internet Security
@@ -72,10 +72,10 @@ authors:
       - Ekkehard Koch|
       - Bob Gendler|National Institute of Standards and Technology
   stig:
-    names: 
+    names:
       - Dan Brodjieski|National Aeronautics and Space Administration
       - Allen Golbig|Jamf
-      - Bob Gendler|National Institute of Standards and Technology      
+      - Bob Gendler|National Institute of Standards and Technology
 titles:
   all_rules: All Rules
   800-53r5_high: NIST SP 800-53 Rev 5 High Impact

includes/supported_payloads.yaml

@@ -1,4 +1,4 @@
-payloads_types: 
+payloads_types:
   - com.apple.ADCertificate.managed
   - com.apple.AIM.account
   - com.apple.AssetCache.managed

rules/audit/audit_auditd_enabled.yaml

@@ -60,7 +60,7 @@ references:
     - AU-12(3)
     - AU-14(1)
     - MA-4(1)
-    - CM-5(1)   
+    - CM-5(1)
   800-53r4:
     - AU-3
     - AU-3(1)

rules/audit/audit_configure_capacity_notify.yaml

@@ -1,7 +1,7 @@
 id: audit_configure_capacity_notify
 title: "Configure Audit Capacity Warning"
 discussion: |
-  The audit service _MUST_ be configured to notify the system administrator when the amount of free disk space remaining reaches an organization defined value. 
+  The audit service _MUST_ be configured to notify the system administrator when the amount of free disk space remaining reaches an organization defined value.
 
   This rule ensures that the system administrator is notified in advance that action is required to free up more disk space for audit logs.
 check: |
@@ -11,7 +11,7 @@ result:
 fix: |
   [source,bash]
   ----
-  /usr/bin/sed -i.bak 's/.*minfree.*/minfree:$ODV/' /etc/security/audit_control; /usr/sbin/audit -s 
+  /usr/bin/sed -i.bak 's/.*minfree.*/minfree:$ODV/' /etc/security/audit_control; /usr/sbin/audit -s
   ----
 references:
   cce:
@@ -20,7 +20,7 @@ references:
     - CCI-001855
   800-53r5:
     - AU-5(1)
-  800-53r4: 
+  800-53r4:
     - AU-5(1)
   srg:
     - SRG-OS-000343-GPOS-00134
@@ -33,7 +33,7 @@ odv:
   recommended: 25
   stig: 25
 tags:
-  - 800-53r5_high 
+  - 800-53r5_high
   - 800-53r4_high
   - cnssi-1253_moderate
   - cnssi-1253_low

rules/audit/audit_control_acls_configure.yaml

@@ -4,7 +4,7 @@ discussion: |
   /etc/security/audit_control _MUST_ not contain Access Control Lists (ACLs).
 check: |
   /bin/ls -le /etc/security/audit_control | /usr/bin/awk '{print $1}' | /usr/bin/grep -c ":"
-result: 
+result:
   integer: 0
 fix: |
   [source,bash]

rules/audit/audit_enforce_dual_auth.yaml

@@ -2,10 +2,10 @@ id: audit_enforce_dual_auth
 title: "Enforce Dual Authorization for Movement and Deletion of Audit Information"
 discussion: |
   All bulk manipulation of audit information should be authorized via automatic processes, and any manual manipulation of audit information should require dual authorization. In addition, dual authorization mechanisms should require the approval of two authorized individuals before being executed.
-  
+
   An authorized user may intentionally or accidentally move or delete audit records without those specific actions being authorized, which would result in the loss of information that could, in the future, be critical for forensic investigation.
-  
-  To enforce dual authorization before audit information can be moved or deleted, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. 
+
+  To enforce dual authorization before audit information can be moved or deleted, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement.
 check: |
   The technology does not support this requirement. This is an applicable-does not meet finding.
 fix: |

rules/audit/audit_failure_halt.yaml

@@ -1,11 +1,11 @@
 id: audit_failure_halt
 title: "Configure System to Shut Down Upon Audit Failure"
 discussion: |
-  The audit service _MUST_ be configured to shut down the computer if it is unable to audit system events. 
+  The audit service _MUST_ be configured to shut down the computer if it is unable to audit system events.
 
-  Once audit failure occurs, user and system activity are no longer recorded, and malicious activity could go undetected. Audit processing failures can occur due to software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. 
+  Once audit failure occurs, user and system activity are no longer recorded, and malicious activity could go undetected. Audit processing failures can occur due to software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.
 check: |
-  /usr/bin/awk -F':' '/^policy/ {print $NF}' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'ahlt' 
+  /usr/bin/awk -F':' '/^policy/ {print $NF}' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'ahlt'
 result:
   integer: 1
 fix: |
@@ -33,13 +33,13 @@ references:
 macOS:
   - "14.0"
 tags:
-  - 800-53r5_low 
-  - 800-53r5_moderate 
-  - 800-53r5_high 
-  - 800-53r4_low 
-  - 800-53r4_moderate 
-  - 800-53r4_high 
-  - 800-171 
+  - 800-53r5_low
+  - 800-53r5_moderate
+  - 800-53r5_high
+  - 800-53r4_low
+  - 800-53r4_moderate
+  - 800-53r4_high
+  - 800-171
   - cnssi-1253_moderate
   - cnssi-1253_low
   - cnssi-1253_high

rules/audit/audit_files_group_configure.yaml

@@ -3,7 +3,7 @@ title: "Configure Audit Log Files Group to Wheel"
 discussion: |
   Audit log files _MUST_ have the group set to wheel.
 
-  The audit service _MUST_ be configured to create log files with the correct group ownership to prevent normal users from reading audit logs. 
+  The audit service _MUST_ be configured to create log files with the correct group ownership to prevent normal users from reading audit logs.
 
   Audit logs contain sensitive data about the system and users. If log files are set to be readable and writable only by system administrators, the risk is mitigated.
 check: |

rules/audit/audit_files_mode_configure.yaml

@@ -1,7 +1,7 @@
 id: audit_files_mode_configure
 title: "Configure Audit Log Files to Mode 440 or Less Permissive"
 discussion: |
-  The audit service _MUST_ be configured to create log files that are readable only by the root user and group wheel. To achieve this, audit log files _MUST_ be configured to mode 440 or less permissive; thereby preventing normal users from reading, modifying or deleting audit logs. 
+  The audit service _MUST_ be configured to create log files that are readable only by the root user and group wheel. To achieve this, audit log files _MUST_ be configured to mode 440 or less permissive; thereby preventing normal users from reading, modifying or deleting audit logs.
 check: |
   /bin/ls -l $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '!/-r--r-----|current|total/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' '
 result:

rules/audit/audit_files_owner_configure.yaml

@@ -1,13 +1,13 @@
 id: audit_files_owner_configure
-title: "Configure Audit Log Files to be Owned by Root" 
+title: "Configure Audit Log Files to be Owned by Root"
 discussion: |
   Audit log files _MUST_ be owned by root.
 
   The audit service _MUST_ be configured to create log files with the correct ownership to prevent normal users from reading audit logs.
 
   Audit logs contain sensitive data about the system and users. If log files are set to only be readable and writable by system administrators, the risk is mitigated.
 check: |
-  /bin/ls -n $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{s+=$3} END {print s}'  
+  /bin/ls -n $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{s+=$3} END {print s}'
 result:
   integer: 0
 fix: |

rules/audit/audit_flags_aa_configure.yaml

@@ -2,9 +2,9 @@ id: audit_flags_aa_configure
 title: "Configure System to Audit All Authorization and Authentication Events"
 discussion: |
   The auditing system _MUST_ be configured to flag authorization and authentication (aa) events.
-  
-  Authentication events contain information about the identity of a user, server, or client. Authorization events contain information about permissions, rights, and rules. If audit records do not include aa events, it is difficult to identify incidents and to correlate incidents to subsequent events. 
-  
+
+  Authentication events contain information about the identity of a user, server, or client. Authorization events contain information about permissions, rights, and rules. If audit records do not include aa events, it is difficult to identify incidents and to correlate incidents to subsequent events.
+
   Audit records can be generated from various components within the information system (e.g., via a module or policy filter).
 check: |
   /usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'aa'
@@ -54,14 +54,14 @@ references:
 macOS:
   - "14.0"
 tags:
-  - 800-53r5_privacy 
-  - 800-53r4_low 
-  - 800-53r4_moderate 
-  - 800-53r4_high 
-  - 800-53r5_low 
-  - 800-53r5_moderate 
-  - 800-53r5_high 
-  - 800-171 
+  - 800-53r5_privacy
+  - 800-53r4_low
+  - 800-53r4_moderate
+  - 800-53r4_high
+  - 800-53r5_low
+  - 800-53r5_moderate
+  - 800-53r5_high
+  - 800-171
   - cis_lvl2
   - cisv8
   - cnssi-1253_moderate